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We Claim: 



1. 



\ 



method of managing a virtual private network, the method comprising: 



receiving a request to join a given virtual private network having a set of network 
devices, tharequest being received from a given network device having a given network 
device identifoer that identifies the given network device; 

retrieving, from a network device memory set, a set of network device identifiers 
that identify all network devices in the set of network devices; 

forwarding\a notify message to each network device in the set of network devices, 
the notify message including the given network device identifier; 

forwarding a join message to the given network device, the join message including 
the set of network deviceddentifiers; and 

storing, in the network device memory set, the given network device identifier. 

2. The method as defined \y claim 1 wherein in response to receipt of the notify 
message, at least one of the set of network devices communicates with the given 
network device to establish^ communication tunnel with the given network device. 

3. The method as defined by claimNl wherein in response to receipt of the join 
message, the given network device, communicates with at least one of the network 
devices in the set of network devicesao establish a communication tunnel with the 
at least one of the set of network devicfes. 

4. The method as defined by claim 1 wherein\he request includes a network identifier 
identifying the given virtual private network. \ 

5. The method as defined by claim 1 wherein the tot^l number of network devices in 
the set of network devices equals zero, the network etevice memory set being a 
database that is established for the given virtual privatknetwork in response to 
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6. The method as defined by claim 1 wherein the request is received from a packet 
basVd network. 

7. The method as defined by claim 1 further comprising: 

authenticating the request to confirm the identity of the given network device. 

8. The methocKas defined by claim 1 wherein each network identifier is an Internet 
Protocol address. 

9. The method as defined by claim 1 further comprising: 
receiving a removeonessage from a remove network device; 

retrieving all networic device identifiers from the network device memory set; and 
forwarding a first message to all network devices identified by retrieved network 

device identifiers, each first message including a remove identifier identifying the remove 

network device. \ 

10. The method as defined by claim 9 wherein in response to receipt of the first 
message, at least one of the network devices in the set of network devices 
disconnects a communication tunnel between the at least one network device and 
the remove network device. \ 

1 1 . The method as defined by claim 9 further comprising: 

forwarding a second message to the remove network device, the second message 
including the retrieved network device identifiers. 

12. The method as defined by claim 1 whereinNthe join message and notify message 
include data identifying the given virtual priWe network. 

13. The method as defined by claim 1 further comprising: 
generating the notify message and the join message^ 
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14. An apparatus for managing a virtual private network, the apparatus comprising: 
anVnput that receives a request to join a given virtual private network having a set 

of network uevices, the request being received from a given network device having a given 
network device identifier that identifies the given network device; 

data storage for storing a set of network device identifiers that identify all network 
devices in the se\t of network devices; 

a messaga generator that generates a notify message and a join message, the notify 
message includingVhe given network device identifier, the join message including the set of 
network device identifiers; 

a request parser that parses the request to determine the given network device 
identifier for storage in\he data storage; and 

an output that forwards one copy of the notify message to each network device in 
the set of network devices,\he output also forwarding the join message to the given 
network device. \ 

15. The apparatus as defined by claim 14 wherein in response to receipt of the notify 
message, at least one of the set oruietwork devices communicates with the given network 
device to establish a communication tunnel with the given network device. 

16. The apparatus as defined by clkim 14 wherein in response to receipt of the join 
message, the given network device communicates with at least one of the network 
devices in the set of network devices to establish a communication tunnel with the 
at least one of the set of network devices. 

17. The apparatus as defined by claim 14 wherein the request includes a network 
identifier identifying the given virtual private network. 

18. The apparatus as defined by claim 14 wherein\the total number of network devices 
in the set of network devices equals zero, the dafti storage including a database that 
is generated for the given virtual private network insresponse to receipt of the 
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19. The apparatus as defined by claim 14 wherein the request is received from a packet 
based network. 

20. The apparatus as defined by claim 14 further comprising: 

an authentication module operatively coupled with the input, the authentication 
module authenticating the request to confirm the identity of the given network device. 

21. The apparatus as defined by claim 14 wherein each network identifier is an Internet 
Protocol address. 

22. The apparatus asuefined by claim 14 wherein the input receives a remove message 
from a remove network device, the remove network device being one of the set of 
network devices, the\apparatus further comprising: 

retrieval logic that retrieves all network device identifiers from the network device 
memory set; and \ 

a removal message generator operatively coupled with the retrieval logic, the 
removal message generator generating a first message having a remove identifier 
identifying the remove network device, the output forwarding the first message to all 
network devices identified by retrieved network device identifiers. 

23. The apparatus as defined by clairA 22 wherein in response to receipt of the first 
message, at least one of the network devices in the set of network devices disconnects a 
communication tunnel between the at least one network device and the remove network 
device. \ 

24. The method as defined by claim 22 whereifi the remove message generator 
generates a second remove message that is forwarded to the remove network device, 
the second remove message including the retrieved network device identifiers. 

25. The method as defined by claim 14 wherein the jom message and notify message 
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irtclude data identifying the given virtual private network. 

26. A computer program product for use on a computer system for managing a virtual 
privam network, the computer program product comprising a computer usable 
medium having computer readable program code thereon, the computer readable 
program Yode including: 

program code for receiving a request to join a given virtual private network having a 
set of network devices, the request being received from a given network device having a 
given network devicAidentifier that identifies the given network device; 

program code rbr retrieving, from a network device memory set, a set of network 
device identifiers that identify all network devices in the set of network devices; 

program code for forwarding a notify message to each network device in the set of 
network devices, the notifyymessage including the given network device identifier; 

program code for forwarding a join message to the given network device, the join 
message including the set of network device identifiers; and 

program code for storing, in the network device memory set, the given network 
device identifier. \ 

27. The computer program product as defined by claim 26 wherein in response to 
receipt of the notify message\t least one of the set of network devices 
communicates with the given nWwork device to establish a communication tunnel 
with the given network device. \ 

28. The computer program product as defined by claim 26 wherein in response to 
receipt of the join message, the given network device communicates with at least 
one of the network devices in the set ofnetwork devices to establish a 
communication tunnel with the at least one of the set of network devices. 

29. The computer program product as defined by\claim 26 wherein the request includes 
a network identifier identifying the given virtuM private network. 
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30. The computer program product as defined by claim 26 wherein the total number of 
network devices in the set of network devices equals zero, the network device memory set 
being a database that is established for the given virtual private network in response to 
receipt of the request 

31. The computer program product as defined by claim 26 wherein the request is 
received from a packet based network. 

32. The computer program product as defined by claim 26 further comprising: 
program code forVuthenticating the request to confirm the identity of the given 

network device. \ 

33. The computer programWoduct as defined by claim 26 wherein each network 
identifier is an Internet Protocol address. 

34. The computer program proouct as defined by claim 26 further comprising: 
program code for receiving a Yemove message from a remove network device; 
program code for retrieving allVetwork device identifiers from the network device 

memory set; \ 

program code for generating a firs\ message having a remove identifier identifying 
the remove network device; and \ 

program code for forwarding the firstVnessage to all network devices identified by 
retrieved network device identifiers. \ 

35. The computer program product as defined >by claim 34 wherein in response to 
receipt of the first message, at least one of the network devices in the set of network 
devices disconnects a communication tunnel between the at least one network 
device and the remove network device. \ 

36. The computer program product as defined by clainr34 further comprising: 
program code for generating a second message havingythe retrieved network device 
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identifiers; and 

program code for forwarding the second message to the remove network device. 

37. The computer program product as defined by claim 26 wherein the join message 
and notify message include data identifying the given virtual private network. 

38. The computer program product as defined by claim 26 further comprising; 
program code for generating the notify message; and 

program codafor generating the join message. 

39. A method of managing a virtual private network having a set of member network 
devices, each member network device being identified by a device identifier, the 
method comprising\ 

maintaining a storagAdevice having the device identifier of each member of the set 
of network devices, the storage device being updated as network devices are added to and 
removed from the virtual private network; 

receiving a request to joimthe virtual private network, the request being received 
from a given network device haviiig a given network device identifier and data identifying 
the virtual private network; \ 

generating a notify message having the given network device identifier; 

generating a join message having the device identifiers in the storage device; 

forwarding the notify message tmeach of the set of network devices; and 

forwarding the join message to the\given network device. 

40. The method as defined by claim 39 wnerein in response to receipt of the notify 
message, at least one of the set of network devices communicates with the given 
network device to establish a communication tunnel with the given network device. 

41. The method as defined by claim 39 wherein m response to receipt of the join 
message, the given network device communicates with at least one of the member 
network devices to establish a communication timnel with the at least one member 
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network device. 

42. TheSmethod as defined by claim 39 further comprising: 

authenticating the request to confirm the identity of the given network device. 

43. The metnbd as defined by claim 39 further comprising: 
receiving aVemove message from a remove network device; 
retrieving alrdevice identifiers from the storage device; and 

forwarding a fltst message to all network devices identified by retrieved device 
identifiers, each first message including a remove identifier identifying the remove network 
device. \ 

44. The method as defineil by claim 43 wherein in response to receipt of the first 
message, at least one orahe member network devices disconnects a communication 
tunnel between the at least one member network device and the remove network 
device. \ 

45. The method as defined by claim 43 further comprising: 

forwarding a second message to\he remove network device, the second message 
including the retrieved device identifiers. \ 

46. A computer program product for use cm a computer system for managing a virtual 
private network having a set of membennetwork devices, each member network 
device being identified by a device identifier, the computer program product 
comprising a computer usable medium havmg computer readable program code 
thereon, the computer readable program code including: 

program code for maintaining a storage device Waving the device identifier of each 
member of the set of network devices, the storage device being updated as network devices 
are added to and removed from the virtual private network; \ 

program code for receiving a request to join the virtuaTprivate network, the request 
being received from a given network device having a given network device identifier and 
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data identiMng the virtual private network; 

program code for generating a notify message having the given network device 
identifier; \ 

program Code for generating a join message having the device identifiers in the 
storage device; \ 

program codfit for forwarding the notify message to each of the set of network 
devices; and \ 

program code for forwarding the join message to the given network device. 

47. The computer program product as defined by claim 46 wherein in response to 
receipt of the notify message, at least one of the set of network devices 
communicates with thAgiven network device to establish a communication tunnel 
with the given network oevice. 

48. The computer program product as defined by claim 46 wherein in response to 
receipt of the join message, me given network device communicates with at least 
one of the member network devices to establish a communication tunnel with the at 
least one member network device. 

49. The computer program product as defined by claim 46 further comprising: 
program code for authenticating the Request to confirm the identity of the given 

network device. \ 

50. The computer program product as defineo\by claim 46 further comprising: 
program code for receiving a remove message from a remove network device; 
program code for retrieving all device identifiers from the storage device; and 
program code for forwarding a first message tosdl network devices identified by 

retrieved device identifiers, each first message including V remove identifier identifying the 
remove network device. \ 

51. The computer program product as defined by claim 50 ^herein in response to 
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rfeceipt of the first message, at least one of the member network devices disconnects 
a communication tunnel between the at least one member network device and the 
remove, network device. 

52. The computer program product as defined by claim 50 further comprising: 
program code^or forwarding a second message to the remove network device, the 

second message including the retrieved device identifiers. 

53. A method of managing a virtual private network, the method comprising: 

a given network deviceVansmitting a request to join the virtual private network 
having a set of network devices, the given network device having a given network device 
identifier that identifies the given network device; 

retrieving, from a network device memory set, a set of network device identifiers 
that identify all network devices in the set\pf network devices; 

forwarding a notify message to eachSaetwork device in the set of network devices, 
the notify message including the given networ^device identifier; 

forwarding a join message to the given neWork device, the join message including 
the set of network device identifiers; and \ 

storing, in the network device memory set, the given network device identifier. 

54. The method as defined by claim 53 further comprising! 
receiving the notify message; \ 

retrieving the given network device identifier from the received notify message; and 
establishing a communication tunnel to the given network device^fter the given 



